[Servercert-wg] Question regarding the id-ad-caIssuers accessMethod URI
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Thu Apr 25 06:03:03 UTC 2024
Dear Members,
I have a quick question regarding the |id-ad-caIssuers|accessMethod URI.
Section 4.2.2.1 of RFC 5280
<https://www.rfc-editor.org/rfc/rfc5280.html#section-4.2.2.1> states that:
> When the|id-ad-caIssuers|accessMethod is used, at least one instance
> SHOULD specify an accessLocation that is an HTTP [RFC2616] or LDAP
> [RFC4516] URI.
RFC 2616 does not support https. That was introduced in a superseded
version.
Since RFC 5280 points to RFC 2616, based on past discussions about
strictly adhering to RFC 5280 despite the existence of superseded
versions, I believe that the proper interpretation of this requirement
is that the "http" scheme is allowed and "https" is not.
Do Members agree with that interpretation?
If this is the correct interpretation, would it be considered a
violation of the BRs if a CA or end-entity certificate contains https://
URL in the id-ad-caIssuers accessMethod ?
I'm afraid that this might not be as clear in the BRs as it should be,
so if people agree with the above, we should probably update section
7.1.2.7.7
<https://github.com/cabforum/servercert/blob/main/docs/BR.md#71277-subscriber-certificate-authority-information-access>
(and possibly other parts) to explicitly state that the allowed scheme
is "http" and not "https", just like we do for the CRLDP in section
7.1.2.11.2
<https://github.com/cabforum/servercert/blob/main/docs/BR.md#712112-crl-distribution-points>.
Thank you,
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240425/682f0df2/attachment.html>
More information about the Servercert-wg
mailing list